EIP-712: Typed structured data hashing and signing

source Apr 10, 2026

ethereumeipsignaturescryptographyoff-chaindappwallet

EIP-712 is the Ethereum standard for hashing and signing typed structured data. It replaced opaque eth_sign hex strings with structured, human-readable, domain-scoped signatures. Authored by Remco Bloemen, Leonid Logvinov, and Jacob Evans; created 2017-09-12. Standards Track, Interface category. Requires EIP-155 and EIP-191.

Motivation

Signing raw bytestrings is a solved problem. Signing structured messages is not — and hashing them incorrectly erases the security properties of the system. Before EIP-712, users were shown messages like 0x19457468657265756d205369676e6564... and asked to sign blindly. This defeats the purpose of asking for consent. EIP-712 encodes both the data and its structure so that wallets can render field names and values in a verification UI before the user signs.

The extended signable message set

The set of signable messages is extended from transactions and bytestrings 𝕋 ∪ 𝔹⁸ⁿ to also include structured data 𝕊:

encode(transaction : 𝕋) = RLP_encode(transaction)
encode(message : 𝔹⁸ⁿ) = "\x19Ethereum Signed Message:\n" ‖ len(message) ‖ message
encode(domainSeparator : 𝔹²⁵⁶, message : 𝕊) = "\x19\x01" ‖ domainSeparator ‖ hashStruct(message)

The encoding is deterministic (each component is) and injective (the three cases always differ in the first byte, and RLP_encode(transaction) never starts with \x19). The encoding is EIP-191 compliant with version byte 0x01, domain separator as version-specific data, and hashStruct(message) as the data to sign.

See Ethereum Signed Message Encoding for the full leading-byte disambiguation scheme.

Typed structured data (𝕊)

The type system is modeled on Solidity structs. Example:

struct Mail {
    address from;
    address to;
    string contents;
}

Three categories of member types:

Atomic types: bytes1–bytes32, uint8–uint256, int8–int256, bool, address. No uint/int aliases. No fixed-point numbers.
Dynamic types: bytes, string. Declared like atomic types but encoded differently.
Reference types: Arrays (Type[] or Type[n]) and other structs. Recursive struct types are supported; cyclical data is undefined.

See EIP-712 Typed Data for the full type grammar.

hashStruct

The core hashing function:

hashStruct(s : 𝕊) = keccak256(typeHash ‖ encodeData(s))
typeHash = keccak256(encodeType(typeOf(s)))

typeHash is a compile-time constant per type. Because it prefixes encodeData, encodeData only needs to be injective within a single type — different types are already separated by their different typeHash.

Full derivation and alternative encodings considered are covered in EIP-712 hashStruct.

encodeType

A struct type is encoded as Name(type1 name1,type2 name2,...,typeN nameN). Example: Mail(address from,address to,string contents).

When a struct references other struct types, the set of referenced types is collected, sorted alphabetically by name, and appended to the encoding:

Transaction(Person from,Person to,Asset tx)Asset(address token,uint256 amount)Person(address wallet,string name)

encodeData

Concatenation of encoded member values, each exactly 32 bytes:

Booleans encoded as uint256 0 or 1
Addresses encoded as uint160
Integers sign-extended to 256 bits, big-endian
bytes1–bytes31 zero-padded at the end to bytes32
Dynamic bytes and string encoded as keccak256 of their contents
Arrays encoded as keccak256 of concatenated encodeData of their elements
Nested structs encoded recursively as hashStruct(value)

This matches abi.encode closely enough that a Solidity implementation is a one-liner:

function hashStruct(Mail memory mail) pure returns (bytes32) {
    return keccak256(abi.encode(
        MAIL_TYPEHASH,
        mail.from,
        mail.to,
        keccak256(mail.contents)
    ));
}

It also admits an in-place EVM implementation that writes typeHash and sub-hashes into the struct’s own memory layout and hashes in place, backing up and restoring the surrounding words.

Domain separator

domainSeparator = hashStruct(eip712Domain)

Where EIP712Domain is a struct with one or more of:

string name — the user-readable name of the signing domain (DApp or protocol name)
string version — the major version; signatures from different versions are incompatible
uint256 chainId — the EIP-155 chain ID; wallets should refuse signing if it does not match the active chain
address verifyingContract — the contract that will verify the signature; wallets may apply contract-specific phishing prevention
bytes32 salt — a disambiguating salt of last resort

Protocol designers include only the fields that make sense for their domain. Fields must appear in the order above (with absences skipped); future field additions must be alphabetical and come after these. See EIP-712 Domain Separator for why this matters and the canonical patterns.

eth_signTypedData JSON-RPC

The wallet RPC added by EIP-712:

sign(keccak256("\x19\x01" ‖ domainSeparator ‖ hashStruct(message)))

Parameters:

Address — 20 bytes, the signing account (must be unlocked)
TypedData — JSON object with types, primaryType, domain, message

JSON schema (simplified):

{
  "types": {
    "EIP712Domain": [...],
    "CustomStruct": [...]
  },
  "primaryType": "CustomStruct",
  "domain": { "name": "...", "version": "...", "chainId": 1, "verifyingContract": "0x..." },
  "message": { ... }
}

Returns a 65-byte hex signature in (r, s, v) big-endian order. The v parameter includes the EIP-155 chain ID.

personal_signTypedData takes an additional password argument. web3.eth.signTypedData(typedData, address) and web3.eth.personal.signTypedData(typedData, address, password) expose the same operation in Web3.js.

Security considerations

EIP-712 is a hashing and signing standard only. Two application-level concerns it explicitly does not address:

Replay attacks: Signed messages can be submitted twice unless the application rejects duplicates or makes the authorized action idempotent. Nonces are the standard mitigation. See Off-Chain Signatures for replay protection patterns.

Frontrunning: An attacker who intercepts a signature can submit it to the contract before the intended use. The application must either reject the out-of-order submission or produce the same effect regardless.

Backwards compatibility

keccak256(someInstance) in Solidity, when someInstance is a struct, currently evaluates to the hash of the memory address of the instance. EIP-712 considers this behavior dangerously broken — it appears correct in some scenarios and silently fails determinism in others. DApps depending on it are broken.

Connections

EIP-712 Typed Data: the type system and encoding rules
EIP-712 Domain Separator: binding signatures to chain, contract, name, version
EIP-712 hashStruct: the core hashing algorithm and its in-place EVM implementation
Off-Chain Signatures: the broader pattern of authorizing on-chain actions with off-chain signatures
Ethereum Signed Message Encoding: the \x19 leading-byte scheme from ERC-191
ERC-1271: Standard Signature Validation Method for Contracts: the standard that lets smart accounts verify EIP-712 signatures on their own behalf
Smart Account Signatures: the EOA vs contract signer verification pattern
Creating a Farcaster Account by Hand: applied example — computing an EIP-712 digest manually with cast and routing it through a Safe via EIP-1271

Backlinks

EIP-712: Typed structured data hashing and signing

EIP-712: Typed structured data hashing and signing (source)

EIP-712 Typed Data (concept)

EIP-712 Domain Separator (concept)

EIP-712 hashStruct (concept)

Off-Chain Signatures (concept)

Ethereum Signed Message Encoding (concept)

→

ERC-1271: Standard Signature Validation Method for Contracts The Ethereum standard that lets smart contracts verify signatures on their own behalf. Created July 2018 as a Standards Track ERC, it defines a single function — isValidSignature(bytes32 hash, bytes signature) returns (bytes4 magicValue) — that any contract can implement to answer the question "is this signature valid for you?". EIP-1271 is the bridge that lets smart contract wallets, DAOs, multisigs, and any other contract-owned identity participate in the EIP-712 off-chain signing ecosystem that was originally built for EOAs. →

ERC-1271: Standard Signature Validation Method for Contracts

Gas agnosticism: No gas limit is prescribed. A verifying contract may implement expensive logic — a multisig checking 20 signatures, a BLS aggregation, a stateful lookup. Callers must not hardcode a gas cap when invoking isValidSignature on an external contract, because a too-low cap would make valid signatures un-verifiable.

Context-dependent logic: The method can inspect any state it wants — nonces, deadlines, authorized signer lists, role mappings — so signature validity can depend on more than just the cryptographic check. This is explicitly supported: "time based or state based".

Two arguments instead of one: A raw message plus hashing scheme would be ambiguous. Instead the hash is computed by the caller and passed directly. Callers and contracts must agree on the hashing scheme out of band — typically EIP-712 with a domain separator.

→

ERC-1271: Standard Signature Validation Method for Contracts

ERC-1271: Standard Signature Validation Method for Contracts (source)

EIP-1271 isValidSignature (concept)

Smart Account Signatures (concept)

Off-Chain Signatures (concept — updated)

EIP-712: Typed structured data hashing and signing (concept — updated)

→

Message signatures (Safe Protocol Kit) Official Safe documentation explaining how to generate, sign, publish, and validate messages from a Safe account using the @safe-global/protocol-kit TypeScript SDK. It is the practical implementation companion to the abstract standards machinery — EIP-712, EIP-1271, and Safe's CompatibilityFallbackHandler + SignMessageLib contracts — showing the exact method calls a developer uses to collect ECDSA signatures from EOA owners, contract signatures from nested Safe owners, publish the result either off-chain to the Safe Transaction Service or on-chain via a signMessage delegatecall, and verify the final signature through isValidSignature. →

Message signatures (Safe Protocol Kit)

EIP-712 is the hashing scheme used by ETH_SIGN_TYPED_DATA_V4 and by hashSafeMessage (which wraps the inner EIP-712 digest in a SafeMessage(bytes) struct under Safe's own domain).

EIP-1271 is the interface that protocolKit.isValidSignature calls — through the CompatibilityFallbackHandler contract — to complete validation.

Smart Account Signatures describes the branching verifier logic; the Protocol Kit is the signer-side SDK that produces what those verifiers expect.

Off-Chain Signatures is the broader pattern; the Safe Transaction Service + API Kit is Safe's implementation of it.

Creating a Farcaster Account by Hand performs the same on-chain SignMessageLib pre-approval flow manually with cast. The Protocol Kit automates that same flow as a single function call: getSignMessageLibContract + encode('signMessage', [messageHash]) + createTransaction + executeTransaction.

→

EIP-1271 isValidSignature

An EIP-712 digest with a specific domain separator

An Ethereum Signed Message hash ("\x19Ethereum Signed Message:\n32" ‖ message)

A raw keccak256 of arbitrary bytes

A Safe-wrapped version of another EIP-712 digest

Anything else the contract's author decided on

→

EIP-1271 isValidSignature

ERC-1271: Standard Signature Validation Method for Contracts: the full standard

Smart Account Signatures: how verifiers route between ecrecover and isValidSignature

Off-Chain Signatures: the broader pattern

EIP-712: Typed structured data hashing and signing: the hashing standard almost always used to produce the hash argument

Creating a Farcaster Account by Hand: applied example of the empty-signature Safe mode

→

ERC-1271: Standard Signature Validation Method for Contracts Why two arguments: A single "raw message" argument would force every contract to agree on a hashing scheme. EIP-1271 instead takes a pre-hashed bytes32, leaving the hashing scheme out of scope. Callers and contracts must agree on the scheme — typically EIP-712 with a domain separator — but the standard does not mandate it. →

ERC-1271: Standard Signature Validation Method for Contracts

EIP-1271 isValidSignature: the method signature, magic value, and state-purity requirement in detail

Smart Account Signatures: how EIP-1271 closes the gap between EOA and contract signers

Off-Chain Signatures: the broader pattern that EIP-1271 extends to smart accounts

EIP-712: Typed structured data hashing and signing: the hashing standard most commonly used with EIP-1271

Ethereum Signed Message Encoding: the leading-byte disambiguation that distinguishes the signed digest from transactions and raw messages

Creating a Farcaster Account by Hand: applied example routing an EIP-712 digest through a Safe via EIP-1271

→

EIP-712 Domain Separator The domain separator is the 32-byte value that binds an EIP-712 signature to a specific protocol, version, chain, and contract. It is the mechanism that prevents a signature produced for one DApp from being replayed against another — even when the two DApps use structurally identical message types. →

EIP-712 Domain Separator

EIP-712: Typed structured data hashing and signing: the parent standard

EIP-712 hashStruct: the hashing function used to compute the domain separator

EIP-712 Typed Data: the type system that EIP712Domain is an instance of

Off-Chain Signatures: the broader pattern the domain separator makes safe

Creating a Farcaster Account by Hand: applied example computing a real domain separator

→

EIP-712 hashStruct hashStruct is the core hashing function of EIP-712. It turns a typed struct instance into a 32-byte digest that is type-separated, deterministic, and injective within its type. It is the building block that the full signable-message encoding wraps in a domain separator and an ERC-191 prefix before signing. →

EIP-712 hashStruct

EIP-712: Typed structured data hashing and signing: the parent standard

EIP-712 Typed Data: the type system that feeds encodeType and encodeData

EIP-712 Domain Separator: the top-level hashStruct call that wraps every signature

→

EIP-712 Typed Data The type system that EIP-712 uses to describe signable structured messages. Modeled on Solidity structs, it gives wallets enough information to render human-readable signing prompts and gives contracts a canonical form to hash and verify. →

EIP-712 Typed Data

EIP-712: Typed structured data hashing and signing: the parent standard

EIP-712 hashStruct: how the type encoding becomes a hash

EIP-712 Domain Separator: the mandatory top-level EIP712Domain type

→

EthSafeMessage

Safe Protocol Kit: the SDK that creates and operates on EthSafeMessage instances

Safe Protocol Kit Message Signatures: the end-to-end signing flow

Safe SigningMethod: the enum used to drive signMessage calls against an EthSafeMessage

Safe Nested Contract Signatures: how contract signatures enter the signature map

EIP-712: Typed structured data hashing and signing: the type of data that can appear in the data field

Smart Account Signatures: the verifier-side pattern this accumulator eventually feeds

→

Ethereum Signed Message Encoding Ethereum signs more than one kind of data: transactions, raw byte strings, and (since EIP-712) typed structured data. All three must be distinguishable from each other at the signature layer, or else an attacker could take a signature intended for one purpose and replay it as another. The leading-byte encoding scheme defined by ERC-191 and extended by EIP-712 is the mechanism that keeps them safely separated. →

Ethereum Signed Message Encoding

EIP-712: Typed structured data hashing and signing: the standard that uses the \x19\x01 prefix

EIP-712 Domain Separator: the 32-byte value that follows the prefix

EIP-712 hashStruct: the 32-byte value at the end of the encoding

Off-Chain Signatures: the broader pattern this encoding secures

→

Digital Identity

EIP-712: Typed structured data hashing and signing — canonical standard for type-safe, human-readable signing

EIP-712 Typed Data — the type system for signable structured messages

EIP-712 hashStruct — core hashing algorithm

EIP-712 Domain Separator — binding signatures to chain, contract, protocol

Ethereum Signed Message Encoding — leading-byte disambiguation across message kinds

Off-Chain Signatures — the pattern EIP-712 secures

ERC-1271: Standard Signature Validation Method for Contracts — contract-owned identities signing via isValidSignature

EIP-1271 isValidSignature — the magic-value interface method in detail

Smart Account Signatures — bridging EOA and contract signers behind one verifier path

Creating a Farcaster Account by Hand — applied example: Safe custody + EIP-1271 + EIP-712 for self-sovereign Farcaster onboarding

→

Off-Chain Signatures Off-chain signatures are the pattern of authorizing on-chain actions by signing a message off-chain and letting a smart contract verify the signature later. The signer pays no gas to produce the signature; whoever submits it to the chain pays gas for the verification and the authorized action. EIP-712 is the standard that makes this pattern safe at scale. →

Off-Chain Signatures

EIP-712: Typed structured data hashing and signing: the standard that makes off-chain signing safe

EIP-712 Domain Separator: the mechanism preventing cross-domain replay

EIP-712 hashStruct: how the signed digest is computed

Ethereum Signed Message Encoding: the leading-byte disambiguation that prevents collisions

ERC-1271: Standard Signature Validation Method for Contracts: the standard extending off-chain signing to smart accounts

Smart Account Signatures: the EOA vs contract signer verification pattern

Creating a Farcaster Account by Hand: walkthrough of an off-chain signature flow with Safe + EIP-1271

→

Safe Protocol Kit Message Signatures Official Safe guide describing the end-to-end flow for producing, publishing, and validating messages signed by a Safe account using the @safe-global/protocol-kit TypeScript SDK. It is the practical counterpart to EIP-712 and EIP-1271 — showing exactly which SDK methods to call for each step of the flow that those specifications describe abstractly. →

Safe Protocol Kit Message Signatures This guide is the missing link between the standards layer (EIP-712, EIP-1271, Off-Chain Signatures) and a working production implementation. It names the exact methods, enums, types, and API calls a developer uses, and it covers all the cases the standards leave implementation-defined: nested Safes, two publication modes, two validation modes, and the wrapping that Safe applies on top of raw EIP-712 digests. →

Safe Protocol Kit Message Signatures

Safe Protocol Kit: the SDK that provides these methods

EthSafeMessage: the in-memory signature accumulator

Safe SigningMethod: the enum that selects between ECDSA, EIP-712, and nested-Safe signing

Safe Nested Contract Signatures: the recursive pattern for Safes owned by Safes

SignMessageLib: the delegatecall target for on-chain message pre-approval

Safe Transaction Service: the off-chain storage backend for messages and signatures

EIP-712: Typed structured data hashing and signing: the hashing standard

EIP-1271: Standard Signature Validation Method for Contracts: the verification standard the SDK wraps

Smart Account Signatures: the verifier-side pattern this SDK feeds

Off-Chain Signatures: the broader pattern

Creating a Farcaster Account by Hand: applied example performing the same on-chain pre-approval flow manually

→

Safe Protocol Kit

Safe Protocol Kit Message Signatures: the end-to-end message signing flow

EthSafeMessage: the message signature accumulator

Safe SigningMethod: the signing-method enum

Safe Nested Contract Signatures: the recursive pattern for Safes owned by Safes

SignMessageLib: the delegatecall target the SDK uses for on-chain pre-approvals

Safe Transaction Service: the off-chain backend the API Kit talks to

EIP-712: the hashing standard the SDK produces signatures over

EIP-1271: the validation standard the SDK calls through for contract signers

→

Safe SigningMethod Used for structured messages that conform to the EIP-712 type system. The owner's wallet computes: →

Safe SigningMethod

Safe Protocol Kit: the SDK that exposes SigningMethod

Safe Protocol Kit Message Signatures: the flow that uses the enum

EthSafeMessage: the accumulator where signed results land

Safe Nested Contract Signatures: the recursive flow triggered by SAFE_SIGNATURE

EIP-712: Typed structured data hashing and signing: what ETH_SIGN_TYPED_DATA_V4 produces

Ethereum Signed Message Encoding: what ETH_SIGN produces

EIP-1271: Standard Signature Validation Method for Contracts: what SAFE_SIGNATURE ultimately verifies through

→

SignMessageLib

Safe Protocol Kit: the SDK wrapper around SignMessageLib

Safe Protocol Kit Message Signatures: the flow that uses the library

EIP-1271: Standard Signature Validation Method for Contracts: the interface the stored hash ultimately satisfies

EIP-1271 isValidSignature: the empty-signature pre-approved-hash mode

EIP-712: Typed structured data hashing and signing: the wrapping the library uses internally

Smart Account Signatures: the broader pattern of pre-approved hashes as on-chain signatures

Creating a Farcaster Account by Hand: applied example with manual cast commands

→

Smart Account Signatures

Hashing scheme: Raw keccak256, Ethereum Signed Message, EIP-712 with a specific domain — in modern Ethereum, EIP-712 is the default.

Signature format: ECDSA bytes, multisig concatenation, empty-bytes pre-approval, custom blob.

Nonce management: Who tracks replay protection, and whether the nonce is inside the signature or inside the contract state.

Deadline: Whether the digest has a deadline baked in, and who enforces it.

→

Smart Account Signatures

ERC-1271: Standard Signature Validation Method for Contracts: the standard this page depends on

EIP-1271 isValidSignature: the interface method in detail

Off-Chain Signatures: the broader pattern smart accounts need to participate in

EIP-712: Typed structured data hashing and signing: the hashing standard smart accounts almost always use

Creating a Farcaster Account by Hand: applied example of Safe + EIP-1271 + pre-approved hash

→